Richard Bussiere, Director, Product Management APAC, Tenable
In March 2018, the US-CERT published an alert that a multi-stage campaign against critical infrastructures was being conducted by Russia against targets in the United States. This alert was the result of detailed analysis of the attacks conducted by the Department of Homeland Security and the Federal Bureau of Investigation. The malicious activities are an attempt to compromise the networks of energy sector, government, transportation, energy production, and some critical manufacturing sectors. Typically, parts of these infrastructures include Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems that control the physical processes.
These attacks are ongoing, and they are not only against the United States. Any organization with ICS/SCADA networks is at risk for similar attacks. For example, the Australian Cyber Security Center reported that for the years 2016/17, there were 7283 cybersecurity incidents impacting major Australian businesses and of these 734 impacted private sector businesses that provided critical infrastructure.
The “ownership” of any critical infrastructure, public or private, can cause significant social or economic distress, with massive first, second and third order impacts. As a simple example, consider what are the effects an attack causing an outage of an urban mass transit system would have, even when if just for a few hours:
• Customers can’t get where they need to get and are delayed;
• People seek alternate modes of transport, which rapidly oversubscribes those modes;
• Street traffic increases, causing further delays;
• Meetings are delayed or cancelled;
• Commerce is impacted, sales that otherwise would have taken place, don’t take place.
Besides these effects, there is the added serious consequence of the loss of public trust in the victim organization.
Formerly ICS environments have operated in isolation. This is no longer true as business demands force the real-time extraction of process data from the ICS environment. Unfortunately, these new connections also increase the risk of cyber attacks against these brittle ICS infrastructures.
To help understand these new risks, let’s look at how attacks against critical infrastructures are orchestrated.
Attackers will conduct “open source” research on potential targets by studying publically available information. This research will reveal business partners, data on employees, data on infrastructure and so-on. All of this data is useful at identifying targets and designing attacks. Next, using this information, the attackers may attempt to find weakly defended networks, typically operated by suppliers or contractors that are connected to more strongly defended critical infrastructure targets.
Once breached, the partner/contractor network is used as a bridge to attack the critical infrastructure network. This effectively takes advantage of the trust relationship that exists between the subcontractors/partners and the true target of the attack, the critical infrastructure network.
Attackers may also use “watering holes” - for example trade and informational websites that relate to Industrial Control, Process Control, and Critical infrastructure. These sites will be laced with malicious content that can achieve a “drive by” breach to an unpatched web browser or entice the victim to download malicious content. Highly targeted spear-phishing attacks may also be used to penetrate the target networks.
Once the initial foothold is established, the attackers access the victim network and:
• Download additional tools to establish presence, persistence, and control.
• Use malicious tools to harvest credentials
• Create user accounts
• Attempt to escalate the privilege of these user accounts
• Disable any host firewalls
• Establish Remote Desktop Protocol access
• Install VPN Clients
• Research internal documents describing how the ICS environment is implemented
• Leverage IT/ICS network interconnectivity to control the ICS network in malicious ways.
There is one very important observation to make here: the “traditional” IT network is the initial vector of most attacks against ICS infrastructures. There are several reasons for this:
• The malicious operators can harvest credentials from the IT network.
• The malicious operators can conduct research on the infrastructure layout accessing systems using the harvested credentials.
• In most cases, there are connections between the traditional IT network and the ICS network that can be leveraged through the use of harvested credentials.
To accomplish these objectives, the malicious actors must:
• Exploit vulnerabilities
• Exploit weak endpoint configurations
• Install malware
• Create new user accounts
The reality is that “owning” the IT network is an effective way to ultimately “own” the ICS network, since for critical infrastructure operators the two are intimately related.
For operators of critical infrastructure, both the traditional IT environment and the ICS environment must be continuously monitored for not only indicators of compromise but also for proper configuration, the presence of vulnerabilities, and changes of state to the endpoints.
Some recommendations include:
• Discover all assets, all the time to understand and reduce risk due to “unknown unknowns”
• Continuously monitor devices for vulnerabilities
• Constantly search for the presence of unknown software or active unknown processes on endpoints
• Continuously monitor critical infrastructure devices for proper secure configuration and detect systems where the configuration has mysteriously changed
• Monitor for changes in critical directories or executable files to detect malicious modifications
• Monitor for new user accounts on endpoints which may have been created by malicious actors
• Continuously monitor the ICS environment for vulnerabilities and unusual traffic patterns
• Detect, monitor and understand in detail the connections that exist between the IT network and the ICS network
• Detect, monitor and understand in detail the connections that exist between “trusted” third parties and the IT network
• Detect, monitor and understand any outside connections that may exist directly to the ICS network
• Insist that “trusted” third parties comply with minimum security standards
• Consider universal adoption of two factor authentication
Given that the threat is real and ongoing, there is now a sense of urgency for operators of critical infrastructure to be diligent in the configuration and monitoring of their IT and ICS environments.